Combat VPN and RDP Attacks with Advanced Adversary Simulation

As Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) hacking continues to grow, companies need to regularly update remote access software and all systems that can be used to access company data.

According to the Verizon 2021 Data Breach Investigations Report, "Organizations that neglected to implement multi-factor authentication, along with virtual private networks, represented a significant percentage of victims targeted during the pandemic, because more people are performing remote work requiring remote desktop connection and VPN.

Network Security Solutions Through Adversarial Attack Simulation

A key characteristic of RedTeam Security's Advanced Adversary Simulation is the luxury of time. Just as a real adversary will spend weeks, if not months, blending into a company's network, our team uses a combination of attack vectors to conceal their identity. They perform calculated and thoughtful tactics to achieve their objectives slowly and purposefully.

For example, if RedTeam tests a hybrid network environment, they will first obtain a foothold in the target environment. Once there, they employ a variety of persistence mechanisms to maintain that foothold. The team evaluates their current position against the target. They begin taking steps to escalate their presence and move toward the objective using a VPN tunnel. All activity during this phase is kept to an absolute minimum as superfluous activity could be overheard and compromise the entire operation. Once in the cloud, they evaluate their progress and determine how best to obtain the next level of access to unauthorized data. Using additional in-house developed tools to ensure they don't lose any forward progress; they search out data for exfiltration.

The example above uses a variety of attack vectors and may take days or even weeks for the team to achieve their objectives. It's a relevant example as remote access systems and VPN remain common points of entry for attackers. Hackers can easily guess default logins for RDP passwords or use brute-force attacks to gain control. Additionally, since Remote Desktop Protocol and VPNs are always up and running and require manual patching, it can be challenging for many companies to keep their RDPs and VPNs updated, making them easy targets.

In fact, advanced adversarial attacks have become so common that the Verizon 2021 Data Breach Investigations Report introduced a new Incident Classification Pattern called "System Intrusion," which includes patterns that involve multiple steps. In this classification, it shows "malware being involved in over 70% of the cases and hacking in over 40%. In either group, once a malicious actor extracts or encrypts a company's data, they can sell it, threaten to release it publicly, or destroy it if a ransom is not paid. Even if a ransom is paid, an attacker might still do any or all those options.

Protect Your Company's Network

To protect a company's network, it has become crucial to understand what tools and techniques are the most relevant to defend against an actual attack. Using Advanced Adversary Simulation to test your company's controls against attacks that mirror what is happening in the wild is the best defense against preventing an unauthorized presence in your company's network.

Advanced Adversary Simulation Reports

An Advanced Adversary Simulation Report provides evidence collected through screenshots and narrative to detail:

• The Plan of Attack and results
• Any events, timelines, information, and thought processes that showed significant events and prompted any changes to the attack plan
• A list of the Tactics Techniques and Procedures (TTPs) used during the engagement from the MITRE ATT&CK Framework, which produces the highest resolution Indicators of Compromise (IoCs
• Security strengths displayed by the target
• Recommendations for remediation of vulnerabilities based on best practices

Q: Why would an organization want to do cloud infrastructure?

Brian: Cloud infrastructure is really a way to be more agile, more nimble. It allows companies a lot more flexibility and a lot more opportunities to stay competitive in different markets.

Q: What is the process that you would use to penetrate a cloud environment?  

Brian: For cloud pen testing, that's an interesting one because there are a couple of different ways to gain access. It also depends on the cloud service you are using and the authentication mechanisms or different ways that that cloud service communicates back to you. And so we'll kind of craft an attack based on what service you're using. 

There are different tool suites based on different services. If you're in AWS, there's a whole suite of attacker tools. If you're in Google or GCP, there's a different suite of attacker tools. We have different suites of tools because you kind of need to speak the underlying protocol that is needed to talk to these different cloud services and enumerate them and try to attack them. 

Q: Do the bad guys have a preference of attacking on-premise or cloud environments?

Brian: So, as an attacker, I'm not sure that there is a total preference for on-prem versus cloud, and it's one of those things that well, why are we seeing more cloud attacks, and why are we still seeing the continued on-premise attacks? 

And it reminds me there is a quote from a bank robber years ago. I think Willie Sutton said when he was asked why you Rob Banks, and he said, well, that's because that's where all the money is. So why are attackers going after the cloud? Well, that's where you're putting all your valuable data. So if you're putting all your valuable data in the cloud, you better be sure that you are also investing heavily in some sort of cloud security in addition to on-prem security, because oftentimes, if we can get on-prem, we've seen occasions where there are VPN tunnels to the cloud assets. So we can just ride that VPN tunnel, and you know, that's where all the money is.